Don't Underestimate Physical Security

Ralph DeFrangesco

We walk up to a door and scan our badge. The door opens. We don't even give it a second thought. It's just there: security. Protecting assets should be the number-one job of all IT professionals whether it's the database, operating system, people, or physical access to the servers themselves. We should question when we see people that don't belong in the data center or we have never seen before.


Good physical security uses the following policies, at a minimum:


Require a badge to enter the data center. For smaller companies where this is not possible, it should be under lock-and-key and available on an as-needed basis. The door should never be left open for any reason. Where possible, an entrance control service should be established.


All systems should require console access to gain root/administrator access. This will force everyone wanting administrative rights to be physically in the data center and easier to track.


Cameras should be used where practical. Even a small shop can afford a camera today. Stream the data feed to a manager's PC or set up a small TV.


Make vendors and people who normally belong in the data center sign a sign-in sheet. This will tell who was there, when, and what they were doing. In addition, they should be escorted during their stay.


The data center should never have a window in it. I have seen many data centers with windows in them. This is a major security problem.


This should go without saying, but unfortunately I have to say it. The data center should be alarmed for fire and theft. I have seen small companies that use a "closet" as their data center and they do not alarm it.


For small companies that use a "closet" as a data center, use a steel door. It will protect access better than a wood door.


Don't hang a sign on the door that says "Data Center." Make it inconspicuous and hard to find.


And in preparation for that disastrous day, have a contingency plan. What would you do if your equipment were stolen?


All policies must be in writing and the entire organization trained on the policies. Individuals must sign a form stating they were trained and a copy kept on file.


I once worked for a midsized company where it was announced that we were merging with another company. Many people were angry about the merger. We noticed one day that someone had powered off a set of disk drives. At first, I didn't think that anyone would do that on purpose. It was possible to brush against an external switch and power it off accidentally. After it happened three more times, we got the message.


Along with the data center, the same practices hold true for access to the rest of the organization. Today, desktop users have access to data that we might not want someone just walking through the department to see. Remember, if you share a building with someone, as in a multi-tenant building, the tenant with the weakest security policies becomes your biggest security threat.


In an economy where companies are reducing their workforce, physical security has never been so important.

Add Comment      Leave a comment on this blog post
Jan 14, 2009 3:55 AM David Lineman David Lineman  says:
These are all excellent points. In fact, we recently updated our PolicyShield Subscription to include a number of new pre-written policies related to physical security, including campus-wide security controls. Physical security it also becoming a bigger issue during IT risk assessments, as more and more laptops and PDAs get lost or stolen. The convergence of physical and IT security is finally arriving. Reply
Jan 15, 2009 2:22 AM Tasneam Tasneam  says:
Hi,Physical security in a corporate environment can be controlled to a very large extent. The same does not hold true for public places and school/college/university campuses. Access card for physical access may not be a practical solution. College campuses are open areas. It may not be possible to deploy cameras there. Any thoughts on how to achieve physical security of such places. Reply
Jan 15, 2009 11:16 AM Ralph DeFrangesco Ralph DeFrangesco  says:
Tasneam,I did some research and found the following best practices for securing colleges and universities:1.) Use security personnel in place of CCTV's. This addresses the privacy issues related to cameras in public places.2.) Create secure entry ways staffed by security professionals.3.) Create safe areas on campus.4.) Create a communications and rapid response program for addressing emergencies.5.) Create a process for identifying and assessing distressed and suspecious individuals on campus.6.) Make sure your staff keeps up on the latest technology by having them take classes on security, incident management, and disaster planning.7.) Create an incident management team8.) Deploy campus police call stations throughout the campus.9.) Critical areas should be well lit.Security on a large univeristy should involve the surrounding community, police, campus security, students, faculty, and university leaders.Hope this helps,-Ralph Reply
Jan 22, 2009 6:07 AM Tasneam Tasneam  says:
Thanks Ralph. To a large extent this help. However, all this may not be a very deployable solutions for schools, collges and universities with monetary resource constraints. Would it not help to impart security awareness training to all the students and form some kind of a vigilance group within the student forum ? Also impart knowledge on concepts like social engineering, identity theft etc to these student community. This serves to increase awareness of non-IT related security breaches too. My two cents.Tasneam Reply
Jan 22, 2009 9:41 AM Ralph DeFrangesco Ralph DeFrangesco  says:
Tasneam,You make an excellent point. I did not mean for this list to be comprehensive. Educating your users will go a long, long way. After all, they are the weakest point in the "security chain". Anything you can do to increase their understanding will benefit them and your organization. Thank you for your input.-Ralph Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.